The pluses and minuses of the Personal Data Protection Bill 2009.
It is past midnight and you are sleeping soundly. Suddenly, an SMS beeps in. It turns out to be a message from a hotel, which you have never been to in your life, giving away a free one-night stay. Annoyed, you go back to bed. But you toss and turn. You can’t get back to sleep and get even more irritated.
Many of us have experienced similar incidents with these unsolicited phone calls, SMSes and e-mail messages. And many have also noticed that these nuisance calls or messages are almost always after they had divulged their personal contact information.
It could have been a warranty card you filled up, or you handed over your business card to participate in a “lucky draw” somewhere, or you had just subscribed to some service. In any case, someone either sold your contact information or is misusing it.
At the very least, such misuse means you are inconvenienced or irritated by sales pitches. But more worrying is that your information could be used for more nefarious activities, such as scams, identity theft, and cheating.
The Personal Data Protection (PDP) Bill 2009, which was passed in the Senate (Dewan Negara) recently, is aimed at putting a stop to such misuse of your personal information, as well as the malicious use of the data.
University Malaya law professor Abu Bakar Munir, who played an advisory role in the drafting of the Bill, said it plays a crucial role in protecting a person’s details in commercial transactions whether online or offline.
“It makes it illegal for anyone — companies or individuals — to give out or sell someone else’s personal information without prior consent,” he said, adding that it stipulates penalities for such transgressions.
The Bill is expected to be gazetted into law this year. When it is, Malaysia will be among the first in Asean to have introduced such legislation.
Personal information, under the Bill, means any data that can identify an individual — name, age, MyKad details, photo, passport number, video and images captured via closed-circuit television.
“If you receive any unsolicited direct marketing messages or advertisements, you will be able to lodge a complaint with the personal data protection commissioner, who will investigate,” Abu Bakar said. At the time of writing, the mechanism for lodging such complaints had yet to be set up.
Those found guilty of contravening the rules could be fined a sum not exceeding RM200,000 or be jailed for a period not exceeding two years, or both.
Abu Bakar believes those penalities should be sufficient to dissuade anyone from illegally sharing someone else’s personal information.
But the ramifications of the PDP Bill 2009 becoming law has great depth and breadth. Foong Cheng Leong, an advocate and solicitor with Lee, Hishammuddin, Allen & Gledhill, sees it even affecting the way businesses and other organisations store the personal data of their customers.
He said the contents of the Bill would apply to local and foreign companies operating in this country, as long as the personal information in question is being processed in Malaysia.
It will require businesses to clearly tell customers that their personal information is being collected, why the data is being amassed, and what they want to do with the details.
“By doing this, the personal information of the customers is protected and it helps to control abuse of the data, such as selling the contact numbers to a third party,” said Foong, who specialises in intellectual property and information technology legal issues.
“It also forbids the businesses to transfer the personal information outside Malaysia without the consent of the customer or the designated countries which is provided by the personal data protection commissioner,” he said.
In this way, the customers will know where their personal information is residing.
According to Foong, it would be in the interest of the companies and organisations having people’s personal information now to already start ensuring that their data-collecting mechanisms are in sync with the requirements stated in the Bill.
“For a start, the companies need to ensure that their customer forms have a section that seeks consent from the customers to collect their personal information, as well as stating why the data is needed and what it will be used for,” he said.
“Any company that has been collecting such information before the law comes into force must still comply with the provisions of the Bill within three months thereof.”
Also, under the Bill, a customer can ask the company, from which he or she has bought products or services from, to show what personal data it has collected on him or her.
But there are exceptions to this rule, according to lawyer Tong Lai Ling, a partner at Raja, Darryl & Loh.
Tong said one exception is when providing that information will disclose confidential commercial data, in which case the company is not obligated to meet the customer’s request.
“Another exception is when the burden or expense of retrieving the data is disproportionate with the risk to the customer’s privacy in relation to personal data,” she said. Tong has 10 years of experience in cyberlaw.
Under the Bill, the collection of sensitive personal data such as medical reports, political affiliations and religious beliefs is also subject to conditions.
“For example, a housing developer cannot ask for a medical report when entering into a sales and purchase agreement with a buyer,” she said.
The Bill isn’t as encompassing as it could be, said Tong at Raja, Darryl & Loh.
“For example, it only applies to personal data gathered as a result of commercial transactions. As such, it would seem that only companies, religious bodies, political parties and charitable organisations that engage in business will be subject to Personal Data Protection rules if they collect customer data,” she said.
The general consensus is that any and every organisation that collects your personal data should be subject to the rules in the Bill.
Also, it is not easy in some circumstances to draw a line between commercial and non-commercial transactions, said Foong at Lee, Hishammuddin, Allen & Gledhill.
He and Tong pointed out that according to the Bill, information collected by federal and state governments is not subject to the stipulations provided for.
“What if the Selangor State Development Corporation (PKNS) forms a business joint venture with the Government.
“PKNS, created under the Selangor State Development Corporation Enactment, 1964, means it should be treated as a separate legal entity,” said Foong.
“But it is not clear whether or not PKNS in such a situation would be bound by the data protection rules in the Bill. A similar predicament arises with any other local authority, statutory body, or state corporate entity.”
Also, the fact that the Bill exempts the Government from personal data protection rules should be of great concern to everyone, he said. “The Government is the biggest collector of personal data — from the time we are born to the day we die.”
Foong believes the Government should play its role as the protector of the personal information of its citizens.
He said the Government has stated that it has its own mechanism for protecting the personal data of its citizens. But it has not revealed if the mechanism is as extensive as that set down in the Bill for the handling of personal data.
The Bill stipulates seven principles governing the handling of such data — covering everything from getting permission from the citizen to why the information is needed, to what can be stored, to how long it can be stored, and to how much of it can be shared.
University Malaya’s Abu Bakar recommends that the Government develop a set of rules and regulations, i.e. a code of practice, to protect the personal information of the rakyat, or have separate legislation to that respect.
Despite some shortcomings, the Personal Data Protection Bill 2009 is still a good start towards empowering Malaysians to maintain their privacy.
When it becomes law, it will need to be finetuned from time to time so that it provides better protection and does not become antiquated.
So, the next time you get an SMS or phone call in the middle of the night or any other time for a free night’s stay or another unsolicited service or product, it could be the other guy that gets the wake-up call.
Note: The Personal Data Protection Act 2010 has received the Royal Assent on June 2, 2010 which now makes it an Act. However, the Act will only take effect when the Government gazettes it.
Did you find this article insightful?